T-Mobile exposed private customer data to hackers who used only a phone number

Hackers discovered a flaw on the T-Mobile website that let them hijack customers’ personal information simply by plugging in phone numbers, according to Motherboard.

Last week, security researcher Karan Saini, of the security information site Secure7, found the vulnerability and informed T-Mobile of the glitch. T-mobile removed the flaw and offered Saini $1,000 as part of the company’s Bug Bounty program.

In an online chat, Saini told Motherboard that a hacker exploiting this flaw could have easily collected the data from millions of people.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” said Saini.

T-Mobile contends that a widespread breech of its customers’ personal and phone information did not occur, telling Motherboard that “There is no indication that it was shared more broadly.”

Yesterday, however, an anonymous hacker informed Motherboard that hackers had been exploiting the T-Mobile glitch for quite some time. Unsettlingly, this anonymous source sent a Motherboard reporter a screenshot the reporter’s own account data, supposedly accessed from the site’s security flaw.

Mashable has reached out to T-Mobile for comment about this breech, and will update the story if we hear back.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,340 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.